Access-List configs 1

[RadioX]

I am trying to write an access list to block on ip from the outside. here is how I have it written But I am doing something wrong.

access-list 125 deny tcp any xxx.xx.xx.68 0.0.0.0
access-list 126 permit tcp any any

What I want to do is just block access to the one address. How would I go about doing this.

I am applying it to the fastethernet interface that this is on like so

ip access-group 125 in
ip access-group 126 in

Thanks for the help. I am new to writing these so I am sure I will get it down some how or another.

 

[CCIEWANNABE]

What interface will you block? What is the model number you will be using.


int e0
ip address 10.10.10.10 255.255.255.0
ip access-group 125 in

int e1
ip address 10.20.20.20 255.255.255.0
ip access-group 126 in

access-list 125 deny tcp any XXX.XXX.XXX.68. 0.0.0.0
access-list 126 permit tcp any any
access-list 125 remark end of the list notice
access-list 125 permit ip any any
access-list 126 remark end of the list notice
access-list 126 permit ip any any

This is just a sample for information use only. You need to provide more specifics for your policy needs?
Route once; switch many

 

[Guest_imported]

You are using a extended access list if you need to block a specific tcp are udp ports then this is what you want but you havent used it in your above config. If you dont need this use a Standard list. If just want no access to the network from 1 address then use this format

access-list 1 deny xxxx.xxxx.xxxx.68 0.0.0.0
access-list 1 permit 0.0.0.0 255.255.255.255
(implicit deny any)

this would block any traffic from the xxxx.xxxx.xxxx.68 address and allow all other. If on the other hand you want to block all traffic from the net to your address then just deny any any

if you need a extended list to block specific traffic and allow others here is the format

access-list 101 deny tcp 172.5.8.2 0.0.0.0 any eq 23
access-list 101 permit ip any any

this would deny any telnet are smtp from the address 172.5.8.2 to any address and allow all other traffic from any source to a destination.

Hope this helps

 

[RadioX]

I am using a Cisco 7206 with IOS 12.0(7). All I want to do is block outside access to one specific inside address and allow access to everything else. For example I have class C xxx.xxx.xx.1-255 but I want to plock access to xxx.xxx.xx.68 and allow access to everything else.

That is what I am looking to do. Hopefully this make more sense now.

Thanks for your help
Ron

 

[CCIEWANNABE]

Tell me the exact interface, the protocol you want to use and if you want to block host addresses or network addresses. An access-group in will block incoming packets on the interface. An access-group out will block outgoing packets from an interface? Route once; switch many

 

[LiNuXGuRL]

to block a specific host i would do this:

lets say 10.10.10.68 is the host. I dont want no traffic from outside on this host

access-list 102 deny ip any host 10.10.10.68

on the ethernet interface the host is connected to

access-group 102 in

i dont know this stuff by heart to well...i usually work my way through with a questionsmarks. but i think the above syntax should be correct.

 

[Greasemonkey]

access-list 102 deny ip any host 10.10.10.68
access-list 102 permit any any

This willl deny any access to 10.10.10.68 and permit on everything else.

 

[LiNuXGuRL]

oops ..forgot the invisible deny any any on the bottom of every ACL. without the access-list 102 permit any any, ALL traffic on that interface would have been dropped

 

[RadioX]

Ok this is what I have written up

access-list 102 deny ip any host 10.10.10.68 (substitution for my ip)
access-list 102 permit ip any any

I applied this to the fastethernet interface as
access-group 102 in

I can still ping the host, bring up PC anywhere, etc from the outside.

 

[ChrisAC]

If the fastethernet interface is the one with the host on then you are not preventing traffic to it by applying the ACL inbound on that interface. Either apply it inbound on the ethernet interface or outbound on the outside interface.

access-list 102 deny ip any 10.10.10.68 log
access-list 102 permit ip any any

int s0
access-group 102 in

************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[IOS]

Get rid of the access-list 102 permit ip any any

The first command: access-list 102 deny ip any host 10.10.10.68
Blocks all traffic to that host from any host address. When you use the secound command it allows all traffic from any. Your contradicting yourself.

Just a guess but give it a try

 

[CCIEWANNABE]

int e0
ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
ip access-group 1 out

The "ip access-group 102 out" line says that we apply the policy set defined by extended access list 102 to all IP traffic going out through router interface Ethernet 0 from the router.
Access-list remark denies all traffic from router to host 10.10.10.68
access-list 1 deny 10.10.10.68 0.0.0.0

This will deny all traffic to that host using just a short standard Access-list. But then you also dent troubleshooting protocols thru.


"Certain configurations are so common that Cisco has developed text substitutes instead of port numbers or address mask pairs. The IP address/mask pair:
0.0.0.0 255.255.255.255
matches any host or network address. It can be replaced with the single term any. The IP address/wildcard mask pair of the form:
<IP address> 0.0.0.0
can be replaced with the form:
host <IP address>
These text substitutes can be used in both standard and extended access lists. “Access list in a nutshell

If you decide to block traffic from host into interface change out to in.



Route once; switch many

 

[Guest_imported]

the last one is correct. you need to aply it to the out bound traffic of the eth interface this way you dont get to the host.leave the permit or you will stop all!! traffic on the interface.dont worry if the packet matches the host address it will be dropped first and will go no further into the access-list, if no match to the host you need the permit any or all packets are dropped.

 

[ChrisAC]

Arrhh!! Yeah, we're getting there! I made a mistake on my previous post!

So, what I meant to say is apply it either inbound on the outside interface (traffic coming in to your router on the outside) or outbound on the ethernet interface (traffic going out into your internal network).

The &quot;ip permit any any&quot; statement is to allow all other traffic that is not blocked by a previous statement. If it wasn't there then all traffic would be blocked by the implied &quot;deny ip any any&quot;. So, we have ..

access-list 102 deny ip any 10.10.10.68 log (deny this IP)
access-list 102 permit ip any any (allow anything else)

int fa0
access-group 102 out
OR

int s0/0
access-group 102 in


Chris.


************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[RadioX]

Thanks for all your help everyone. I am finally starting to understand how these work and will be able to use them for many things. I got my ACL working properly.

I just used
access-list 102 deny ip any host xxx.xxx.xxx.xx
access-list 102 permit ip any any

applied this to my outside interface (s 1/0)
and it works like a charm

now just have to go back and set some other things up.

Thanks for all your help
Ron

 

[ChrisAC]

In the words of Homer Simpson .... WOOOO HOOOO!!! ************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[CCIEWANNABE]

Just to add a last note here is a flow chart Link worth book marking:

Link:

http://www.cisco.com/warp/public/105/intro

Access lists cannot filter traffic that originates at the router that holds them. Access lists affect only traffic that enters the router on one interface and leaves the router on another.

Here is a list of all the extended access list protocols denied or permited when you use IP any any.

&quot;Table A.1. IP protocols
Protocol name IP protocol number
AH ............51
EIGRP ..........88
ESP ............50
GRE ..........47
ICMP .............1
IGMP .............2
IGRP .............9
IP .............0-255
IPINIP .............94
NOS .............4
OSPF .............89
TCP .............6
UDP .............17..&quot;Access Lists in a Nutshell&quot;
Route once; switch many